1
00:00:01,030 --> 00:00:08,680
Now that we've got Wireshark installed and we've got our adapter set back to the private host only network,

2
00:00:08,680 --> 00:00:14,650
the box net zero, and we've turned that Ethernet adapter, that network adapter to promiscuous mode

3
00:00:14,670 --> 00:00:20,320
and advanced, we're ready to let's go and shut down Wireshark if you still have it running since we

4
00:00:20,320 --> 00:00:21,220
changed the interface.

5
00:00:21,220 --> 00:00:24,160
And let's start Wireshark back on that Windows 10 computer.

6
00:00:24,820 --> 00:00:26,160
Then we can go to capture.

7
00:00:26,680 --> 00:00:28,030
Come to options.

8
00:00:29,620 --> 00:00:34,810
And we'll just make sure that we're connected to that Internet and it's in promiscuous mode, that's

9
00:00:34,810 --> 00:00:36,700
going to be OK clothes.

10
00:00:37,240 --> 00:00:39,850
So we're ready to capture an wireshark now.

11
00:00:39,850 --> 00:00:45,280
We need to make sure that we have our utility Sorrow and Métis floatable to running.

12
00:00:45,280 --> 00:00:49,630
We're actually going to log into MUTILATOR, but we're going to try our Métis floatable to all you need

13
00:00:49,630 --> 00:00:51,490
to do is the if config.

14
00:00:52,520 --> 00:00:59,030
And that is it tendo 3:00 to 5:00 and we should be listening that Tenga three hosts only network, so

15
00:00:59,030 --> 00:01:02,210
10 that three to five for me, if yours is different, that's fine.

16
00:01:02,510 --> 00:01:06,860
Open your Windows seven box and we're going to open up a browser.

17
00:01:09,300 --> 00:01:13,860
And let's surf to 10 dot o dot three, dot five.

18
00:01:14,910 --> 00:01:20,190
We can see how Métis voidable box is up and running and manipulatable is going to be really useful when

19
00:01:20,190 --> 00:01:24,780
we do Web hacking, but we're going to demonstrate how we can capture a plaintext password if it's sent

20
00:01:24,780 --> 00:01:27,800
out over an unencrypted channel across a network.

21
00:01:28,140 --> 00:01:32,940
Anybody who's connected to the network that Windows 10 machine is completely separate from these other

22
00:01:32,940 --> 00:01:33,720
two computers.

23
00:01:33,720 --> 00:01:38,270
Anybody connected to your network can sniff your passwords if you send them unencrypted.

24
00:01:38,520 --> 00:01:39,780
So let's see that happen.

25
00:01:39,780 --> 00:01:41,810
First of all, come down to mutilator.

26
00:01:41,820 --> 00:01:50,010
A Utility is a terrific application for learning various Web exploits so you can try different types

27
00:01:50,010 --> 00:01:50,840
of attacks.

28
00:01:50,850 --> 00:01:55,410
It's an attackable platform mutilate utility born to be hacked.

29
00:01:55,800 --> 00:01:58,650
Let's go to the login register page.

30
00:01:58,650 --> 00:02:04,150
So we've logged in to wear on our Windows seven box, but we've actually logged in to our metastable

31
00:02:04,260 --> 00:02:12,750
server and we've clicked through the utility because it is a good log in register page so we can reset

32
00:02:12,750 --> 00:02:18,060
the DB That'll be handy for us as well and come back to log in register.

33
00:02:20,480 --> 00:02:26,780
I'm going to go ahead and start my log in, I'm not going to press log in, but I'll say Fred and my

34
00:02:26,780 --> 00:02:31,580
password is Wilma, you can log in to another service if you wanted to.

35
00:02:31,580 --> 00:02:35,440
You could log into anything that doesn't require an encrypted connection.

36
00:02:35,780 --> 00:02:42,230
The key to this is that if you ever log in into an HTP server, whether that's your WordPress server

37
00:02:42,230 --> 00:02:49,850
and you do your dash log in over HTP, or if you log in to your school's email, your work e-mail over

38
00:02:49,850 --> 00:02:57,440
an unsecure connection, your password is being sent over a huge network, just like the one we're about

39
00:02:57,440 --> 00:02:58,200
to see here.

40
00:02:58,220 --> 00:03:01,820
So this is a small network with just three computers running on it right now.

41
00:03:02,090 --> 00:03:09,020
But I've got my Windows seven computer ready to log in to this login page that is not secure on my Métis

42
00:03:09,020 --> 00:03:09,870
floatable server.

43
00:03:10,250 --> 00:03:11,380
Hold it right there.

44
00:03:11,720 --> 00:03:17,300
We're going to come over to Windows 10 that's running our Wireshark and we're going to start the packet

45
00:03:17,300 --> 00:03:18,980
capture press start.

46
00:03:19,340 --> 00:03:21,880
And now Windows 10 is going to be listening for packets.

47
00:03:21,920 --> 00:03:25,550
Let's send it a packet will log in with Fred and Wilma.

48
00:03:25,590 --> 00:03:27,620
Notice it's asking if we want to remember the password.

49
00:03:27,650 --> 00:03:28,550
No, we don't.

50
00:03:29,150 --> 00:03:34,130
So when we run this, we're going to see that it needs the database set up.

51
00:03:34,130 --> 00:03:37,370
But that's OK because we have sent our login information.

52
00:03:37,370 --> 00:03:38,870
Switch back to Wireshark and press.

53
00:03:38,870 --> 00:03:39,380
Stop.

54
00:03:40,760 --> 00:03:46,430
So on a Windows team computer, we're stopping Wireshark now, all we need to do is, well, first,

55
00:03:46,430 --> 00:03:52,250
let's say this, these captured packets file save as so I'm just sniffing it at work.

56
00:03:52,250 --> 00:03:57,950
I see somebody logging in on a computer over someplace else that Windows seven computer someplace across

57
00:03:57,950 --> 00:04:02,180
the coffee shop or any place that doing security testing.

58
00:04:03,110 --> 00:04:11,420
I'm going to call this log in traffic because I think somebody logged in and we'll use the pickup in

59
00:04:11,690 --> 00:04:13,910
format press save.

60
00:04:15,410 --> 00:04:21,650
So we've got these packets that we can come back and look at later, but let's go ahead and go to edit

61
00:04:22,430 --> 00:04:23,420
find packet.

62
00:04:24,970 --> 00:04:29,020
And let's change this to string and see if we can find.

63
00:04:29,940 --> 00:04:38,980
Well, a lot of times on our website posts or Sin's a form to a server, it uses the post command or

64
00:04:38,980 --> 00:04:39,870
the post format.

65
00:04:39,880 --> 00:04:43,990
So let's see if we can find post and we may see a few down here.

66
00:04:43,990 --> 00:04:45,990
Look look at this one highlighted right here.

67
00:04:46,510 --> 00:04:53,080
There's a post from a ten point three dot for that must be one Windows seven computer to ten dot dot

68
00:04:53,080 --> 00:04:54,180
three to five.

69
00:04:54,190 --> 00:05:01,060
That is my utility, my and my utility Web site running on the splitter box.

70
00:05:01,060 --> 00:05:08,950
And notice it's an HTP post and it's trying to post a login so we could also search for log in as a

71
00:05:08,950 --> 00:05:09,490
string.

72
00:05:10,120 --> 00:05:13,230
But if you know how Web forms work, Post is a really good one.

73
00:05:13,630 --> 00:05:16,390
So if I click on this packet and if I double click.

74
00:05:17,460 --> 00:05:26,880
I'm going to see that it had an HTP form or HTML form, if I expand that, look at the information that

75
00:05:26,880 --> 00:05:33,440
went across this network, Fred, and a password of Willmar and attempted to log in.

76
00:05:33,830 --> 00:05:34,860
Wow.

77
00:05:34,860 --> 00:05:41,580
That should scare you if you ever log into a Web site that doesn't have HTP.

78
00:05:41,610 --> 00:05:47,160
And that little luck symbol lets you know that the site is secure, that it's encrypting that traffic

79
00:05:47,160 --> 00:05:52,980
before it sends it out, you need to know that you are sending usernames and passwords in plain text

80
00:05:52,980 --> 00:05:53,910
across a network.

81
00:05:54,180 --> 00:05:58,890
I'm on a completely different computer that just happens to be connected to the same network.

82
00:05:58,890 --> 00:06:01,930
And I can see Fred and Wilma as plain as day.

83
00:06:02,280 --> 00:06:09,000
So if those were my username and password for that remote server, my meds floatable server, I would

84
00:06:09,000 --> 00:06:12,480
have just given that out in plain text on the network.

85
00:06:12,480 --> 00:06:17,700
That's almost like putting a Post-it note on your monitor with a username and password for your favorite

86
00:06:17,700 --> 00:06:18,250
Web site.

87
00:06:18,870 --> 00:06:23,850
So let's look through this packet a little bit down below and see we can see the individual characters

88
00:06:23,850 --> 00:06:24,690
in that packet.

89
00:06:25,030 --> 00:06:29,640
And if you scroll down here, you can see password equals Wilma.

90
00:06:30,830 --> 00:06:38,270
It's all right there, password equals Wilma, so there's a whole lot of other digital information that

91
00:06:38,270 --> 00:06:40,640
was sent in this packet, you can see that.

92
00:06:41,760 --> 00:06:48,240
Tells the location of the form, tells what kind of information it accepts and a lot more, but the

93
00:06:48,240 --> 00:06:51,960
key word that we were looking for was our password.

94
00:06:52,410 --> 00:06:58,950
And we found that just by looking for information that had been posted to a Web server, you can also

95
00:06:59,010 --> 00:07:05,160
when you get good at using Wireshark, you can search for strings like Pass or Password or TWD and you

96
00:07:05,160 --> 00:07:06,780
will turn up a lot more like this.

97
00:07:06,780 --> 00:07:13,260
It just turns out that our very first form posting we captured just for a little bit that we didn't

98
00:07:13,260 --> 00:07:19,350
have to do very much searching because we captured Rudd is that user was clicking log in, then we stopped

99
00:07:19,350 --> 00:07:23,790
our capture, saved everything, and now we can surf through that packet.

100
00:07:23,850 --> 00:07:26,280
That individual packet was sent notice.

101
00:07:26,280 --> 00:07:30,150
There's a whole lot of packets that were sent and some even had posts in them.

102
00:07:31,080 --> 00:07:33,030
But we were lucky to turn up that post.

103
00:07:33,030 --> 00:07:37,470
Mutability going to attend at three point five pretty quickly.

104
00:07:38,250 --> 00:07:43,320
There's one more set of skills that we need to flex to understand why it's important to have good passwords

105
00:07:43,590 --> 00:07:47,190
and why it's important to protect those passwords with good security.

106
00:07:47,580 --> 00:07:49,090
And we'll see that in the next lesson.

107
00:07:49,090 --> 00:07:54,780
Then we'll do a wrap up and see some tips on how you can avoid having your passwords taken the way that

108
00:07:54,780 --> 00:07:57,120
we've shown in these lessons so far.